Last active
January 30, 2017 00:11
-
-
Save pcurylo/fa3801c47bb12a147dfd01460295d061 to your computer and use it in GitHub Desktop.
Setup OpenSSH on Ubuntu
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #source: https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29 | |
| #source: manpage | |
| #source: http://www.tedunangst.com/flak/post/new-openssh-key-format-and-bcrypt-pbkdf | |
| #source: https://blog.g3rt.nl/upgrade-your-ssh-keys.html | |
| YEL='\033[1;33m' | |
| RED='\033[1;31m' | |
| GRN='\033[1;32m' | |
| NC='\033[0m' # No Color | |
| backup_file() { | |
| if [ -f $1.orig ] ; | |
| then | |
| echo "$1.orig already exists." | |
| else | |
| cp $1{,.orig} | |
| chmod a-w $1.orig | |
| fi | |
| } | |
| replace_line() { | |
| sed -i -e "s|$1|$2|" $3 | |
| } | |
| delete_line() { | |
| sed -i -e "\|$1|d" $2 | |
| } | |
| add_after_line() { | |
| sed -i -e "\|$2| a $1" $3 | |
| } | |
| echo -e "Setup OpenSSH" | |
| echo -e "${GRN}--${NC}Installing OpenSSH server" | |
| apt-get install openssh-server -y | |
| FILE=/etc/ssh/sshd_config | |
| echo -e "${GRN}--${NC}Modifying ${FILE}" | |
| backup_file ${FILE} | |
| echo -e "${GRN} --${NC}Removing DSA host key for protocol ver 2" | |
| delete_line 'HostKey /etc/ssh/ssh_host_dsa_key' ${FILE} | |
| #rm /etc/ssh/ssh_host_dsa_key* | |
| echo -e "${GRN} --${NC}Reorder remaining host keys for protocol ver 2" | |
| replace_line 'HostKey /etc/ssh/ssh_host_rsa_key' 'HostKey /etc/ssh/ssh_host_SLOT1' ${FILE} | |
| replace_line 'HostKey /etc/ssh/ssh_host_ecdsa_key' 'HostKey /etc/ssh/ssh_host_SLOT2' ${FILE} | |
| replace_line 'HostKey /etc/ssh/ssh_host_ed25519_key' 'HostKey /etc/ssh/ssh_host_SLOT3' ${FILE} | |
| replace_line 'HostKey /etc/ssh/ssh_host_SLOT1' 'HostKey /etc/ssh/ssh_host_ed25519_key' ${FILE} | |
| replace_line 'HostKey /etc/ssh/ssh_host_SLOT2' 'HostKey /etc/ssh/ssh_host_ecdsa_key' ${FILE} | |
| replace_line 'HostKey /etc/ssh/ssh_host_SLOT3' 'HostKey /etc/ssh/ssh_host_rsa_key' ${FILE} | |
| echo -e "${GRN} --${NC}Adding Kex Algorithms" | |
| add_after_line 'HostKey /etc/ssh/ssh_host_rsa_key' '# Permitted key exchange algorithms' ${FILE} | |
| add_after_line '# Permitted key exchange algorithms' 'KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256' ${FILE} | |
| echo -e "${GRN} --${NC}Adding Cipher Algorithms" | |
| add_after_line 'KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256' '# Permitted ciphers' ${FILE} | |
| add_after_line '# Permitted ciphers' 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' ${FILE} | |
| echo -e "${GRN} --${NC}Adding MAC Algorithms" | |
| add_after_line 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' '# Permitted MAC algorithms' ${FILE} | |
| add_after_line '# Permitted MAC algorithms' 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' ${FILE} | |
| echo -e "${GRN} --${NC}Prohibit root login" | |
| replace_line 'PermitRootLogin prohibit-password' 'PermitRootLogin no' ${FILE} | |
| echo -e "${GRN} --${NC}Specifying authentication methods - publickey only" | |
| add_after_line 'AuthenticationMethods publickey' 'PermitRootLogin' ${FILE} | |
| echo -e "${GRN} --${NC}Disabling password authentication" | |
| replace_line '#PasswordAuthentication yes' 'PasswordAuthentication no' ${FILE} | |
| echo -e "${GRN} --${NC}Disable Forwarding" | |
| replace_line 'AllowTcpForwarding yes' 'AllowTcpForwarding no' ${FILE} | |
| replace_line 'X11Forwarding yes' 'X11Forwarding no' ${FILE} | |
| echo -e "${GRN} --${NC}Reduce Max Startups" | |
| replace_line '#MaxStartups 10:30:60' 'MaxStartups 2:30:10' ${FILE} | |
| echo -e "${GRN} --${NC}Increase log level" | |
| replace_line 'LogLevel INFO' 'LogLevel VERBOSE' ${FILE} | |
| echo -e "${GRN} --${NC}Set logon banner to /etc/issue.net" | |
| replace_line '#Banner /etc/issue.net' 'Banner /etc/issue.net' ${FILE} | |
| echo -e "${GRN} --${NC}Allow specific users" | |
| cat << EOT >> ${FILE} | |
| AllowUsers paul | |
| Match User paul | |
| AuthenticationMethods publickey password | |
| EOT | |
| echo -e "${GRN} --${NC}Set logging of sftp file access" | |
| replace_line 'Subsystem sftp /usr/lib/openssh/sftp-server' 'Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO' ${FILE} | |
| echo -e "${YEL}--${NC}Rate-limit connections with ufw (Ubuntu)" | |
| ufw enable | |
| ufw limit ssh | |
| echo -e "${GRN}--${NC}Edit logon banner" | |
| BANNER=/etc/issue.net | |
| backup_file ${BANNER} | |
| cat << EOB > ${BANNER} | |
| ============================== N O T I C E ===================================== | |
| You can expect NO explicit or implicit privacy for any access to this system. | |
| Access and use of this system and content on this system may be intercepted, | |
| monitored, recorded, copied, audited, inspected, and disclosed to appropriate | |
| persons and/or agencies. | |
| By accessing this system, you consent to interception, monitoring, recording, | |
| copying, auditing, inspection, and disclosure of your activities at the | |
| discretion of the system owner. | |
| Unauthorized or improper use of this system may result in civil and/or criminal | |
| penalties and administrative action, as appropriate. | |
| Your continued access and use indicates your consent to these terms and | |
| conditions of use. | |
| LOG OFF IMMEDIATELY if you do not agree to these conditions in this notice. | |
| EOB | |
| echo -e "${GRN}--${NC}Rekey the host - defaults are not appropriate" | |
| rm /etc/ssh/ssh_host_dsa_key* | |
| echo -e 'y\n' | ssh-keygen -o -a 100 -f /etc/ssh/ssh_host_ecdsa_key -t ecdsa -b 521 -q | |
| echo -e 'y\n' | ssh-keygen -o -a 100 -f /etc/ssh/ssh_host_rsa_key -t rsa -b 4096 -q | |
| echo -e "${YEL}--${NC}Restart sshd" | |
| #restart ssh | |
| systemctl restart ssh | |
| ps -A | grep sshd | |
| ss -lnp | grep sshd | |
| echo -e "Keys in pref order: ${GRN}Ed25519${NC}, ${GRN}ECDSA${NC}, ${GRN}RSA 3072/4096${NC}" | |
| echo -e "Change/remove these keys: ${YEL}RSA 2048${NC}, ${RED}RSA 1024${NC}, ${RED}DSA 1024${NC}" | |
| echo -e "Current host keys in /etc/ssh/" | |
| for keyfile in /etc/ssh/ssh_host*; do ssh-keygen -l -f "${keyfile}"; done | uniq | |
| echo -e " " | |
| echo -e "Notes: Creating new keys" | |
| echo -e " host key: /etc/ssh/ssh_host_xxxx_key{,.pub}" | |
| echo -e " user key: ~/.ssh/ id_xxxx{,.pub}" | |
| echo -e "ssh-keygen -o -a 100 -t xxxx -f {host or user key} " | |
| echo -e " where xxxx is" | |
| echo -e " ed25519 " | |
| echo -e " ecdsa -b 521 (also still ok: 384,256) " | |
| echo -e " rsa -b 4096 " | |
| echo -e " -b for number of bits" | |
| echo -e " -o for new (OpenSSH 6.5+) format; not old PEM format" | |
| echo -e " -a for rounds (if setting passphrase)" | |
| echo -e " " | |
| echo -e "Change or set passphrase for keys" | |
| echo -e "ssh-keygen -p -o -a 100 -f {host or user private key}" | |
| echo -e " " | |
| echo -e "${YEL}--${NC}After copying ssh key to host, tighten security" | |
| echo -e "${YEL} --${NC}Remove 'Match' clause at end of sshd_config (2 lines)." | |
| echo -e " " | |
| unset backup_file | |
| unset replace_line | |
| unset FILE | |
| unset BANNER |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Need to run as sudo. Also, need to pull extra sudo commands out of script.